Perform Google Apps domain-wide delegation of authority

In enterprise applications, you might want to programmatically access user data
without any manual authorization on the user's part. In Google Apps domains, the
domain administrator can grant specific third party applications domain-wide
access to its user data—this is referred to as domain-wide delegation of
authority. To delegate authority in this way, domain administrators must use
service accounts with OAuth 2.0.

You must first create a service account.

Create a console project with service account credentials

The following steps create a Google API Console project with credentials for
a service account. The procedure generates credentials that your
application will need: the client ID, the private key, and the
email address of the service account.

In the list of Google APIs, search for the Google+ Domains API service.

Select Google+ Domains API from the results list.

Select Enable API.

When the process completes, Google+ Domains API appears in the list of enabled APIs.
To access, select APIs & Services on the left sidebar menu, then select the
Enabled APIs tab.

In the sidebar under "APIs & Services", select Credentials, then select
the OAuth consent screen tab.

Choose an Email Address, specify a Product Name, and
select Save.

From the Credentials tab, select the New credentials drop-down list,
and choose Service account key.

In the Service account drop-down, choose New service account.

Enter a Name. The Service account ID is generated for you from
the name you enter. You can accept this ID or override it. The Service account ID must
be between 6 and 30 characters.

Choose a Key type, then select the Create button.

Once generated, the public/private key pair file downloads to your machine.
The file serves as the only copy of this key; you are responsible for storing it
securely.

A "Service account created" dialog pops-up after successful creation/download.
Select Close to return to the Credentials page.

The Credentials page now displays a Service account keys
section containing the service account ID,
Creation date, and Service account name.
To view the service account's Email address,
select Manage service accounts to access the Permissions page.
Note or copy these values to use in later steps to configure access to the API.
For examples where these values are used, see the
Java
or
Python
quickstart.

Delegate domain-wide authority to your service account

The service account must now be granted domain-wide access to the user data
for your Google Apps domain. There are two flows to do this:

If the service account is listed as an app on the
Google Apps Marketplace,
then domain-wide access to user data is granted during the installation of
that app.

If the service account isn't listed as an app, but is a custom integration,
then the domain administrator of Google Apps needs to perform the following
procedure.

Open your G Suite domain control panel, at
https://www.google.com/a/cpanel/example.com.

Click on the Security icon. This can
sometimes be found in the More controls
option.

In the One or More API Scopes field enter the list of scopes that your app
should be granted access to.

Click the Authorize button.

Instantiate a Plus service object

This section shows how to instantiate a Plus service object and then authorize
it to make API requests using OAuth 2.0 and your service account's credentials
to perform Google Apps Domain-wide delegation. You should now have the
service account's private key file in a PKCS #12 format and the email
address of the service account.